[tor-bugs] #12089 [BridgeDB]: BridgedDB can be forced to email arbitrary email addresses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Aug 9 22:43:55 UTC 2014
#12089: BridgedDB can be forced to email arbitrary email addresses
--------------------------+--------------------------------------
Reporter: isis | Owner: isis
Type: defect | Status: reopened
Priority: critical | Milestone:
Component: BridgeDB | Version:
Resolution: | Keywords: bridgedb-email, security
Actual Points: | Parent ID:
Points: |
--------------------------+--------------------------------------
Comment (by trygve):
Added patch to test_smtp.py to reproduce the issue described in this
ticket. The test sends an email to bridgedb in which the 'MAIL FROM'
address in the SMTP header differs from the 'From' address in the email.
Note: The test assumes that bridgedb should detect this situation and not
generate a response. At the time of writing, this test fails because a
response is generated.
Note: At the time of writing, test_smtp.has not yet been merged into the
bridgedb master branch (currently in isis' repo)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12089#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list